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Abstract 

' Design efficient lattice-based ciyptosystem secure against adaptive chosen ciphertext attack (IND-CCA2) is a challenge 

' problem. To the date, full CCA2-security of all proposed lattice-based cryptosystems achieved by using a generic transformations 

' such as either strongly unforgeable one-time signature schemes (SU-OT-SS), or a message authentication code (MAC) and weak 

form of commitment. The drawback of these schemes is that encryption requires separate encryption. Therefore, the resulting 
$_( ' enciyption scheme is not sufficiently efficient to be used in practice and it is inappropriate for many applications such as small 

ubiquitous computing devices with limited resources such as smart cards, active RFID tags, wireless sensor networks and other 
embedded devices. 

In this work, for the first time, we introduce an efficient universal random data padding (URDP) scheme, and show how it 
can be used to construct a direct CCA2-secure encryption scheme from any worst-case hardness problems in (ideal) lattice in the 
standard model, resolving a problem that has remained open till date. This novel approach is a black-box construction and leads to 
the elimination of separate encryption, as it avoids using general transformation from CPA-secure scheme to a CCA2-secure one. 
, IND-CCA2 security of this scheme can be tightly reduced in the standard model to the assumption that the underlying primitive 

■ is an one-way trapdoor function. 
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cn : 

. Devising quantum computer will enable us to break public -key cryptosystems based on integer factoring (IF) and discrete 
logarithm (DL) problems ifTTl . Under this future threat, it is important to search for secure PKEs based on the other problem. 
Lattice-based PKE schemes hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs 
based on worst-case hardness, relatively efficient implementations, as weU as great simplicity and, lately, their promising 

. potential as a platform for constructing advanced functionalities. 

E> 

The ultimate goal of public-key encryption is the production of a simple and efficient encryption scheme that is provably 
secure in a strong secuiity model under a weak and reasonable computational assumption. The accepted notion for the security 
5—1 of a public -key encryption scheme is semantically secure against adaptive chose ciphertext attack (i.e. IND-CCA2) |13| . In 
. ^ . this scenario, the adversary has seen the challenge ciphertext before having access to the decryption oracle. The adversary is 
not allowed to ask the decryption of the challenge ciphertext, but can obtain the decryption of any relevant cryptogram (even 
modified ones based on the challenge ciphertext). A cryptosystem is said to be CCA2-secure if the cryptanalyst fails to obtain 
any partial information about the plaintext relevant to the challenge ciphertext. 



A. Related work 

In order to design CCA2-secure lattice-based encryption schemes, a lot of successes were reached. There are two approach 
for constructing CCA2-secure lattice-based cryptosystems in the standard model. Existing CCA2-secure schemes exhibit various 
incomparable tradeoffs between key size and error rate. 

-CCA-secure cryptosystem based on lossy trapdoor functions. Peikert and Waters IfTTl showed for the first time how to construct 
CCA2-secure encryption scheme from a primitive called a lossy ABO trapdoor function family, along with a SU-OT-SS. They 
showed how to construct this primitive based on the learning with eiTor (LWE) problem. This result is particularly impoitant as 
it gives for the first time a CCA-secure cryptosystem based on the worst-case hardness of lattice problems. It has public-keys 
of size 0{n'^) bits and relies on a quite small LWE error rate of a = 0{l/n'^). Subsequently, Peikert lfT2l showed how to 
construct a coiTelation-secure trapdoor function family from the LWE problem, and used it within the Rosen-Segev scheme 
ifTSJ to obtain another lattice-based CCA-secure scheme. Unfortunately, the latter scheme also suffers from long public-key 
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and ciphertext length of 0{n^) bits, but uses a better error rate of 0{l/n) in the security parameter n, even if applied in the 
Ring-LWE setting. Recently, Micciancio and Peikert flOl give new methods for generating simpler, tighter, faster and smaller 
trapdoors in cryptographic lattices to achieve a CCA-secure cryptosystem. Their construction give a CCA-secure cryptosystem 
that enjoys the best of all prior constructions, which has ©(n^) bit public-keys, uses error rate 0{l/n). Recently, Steinfeld et al. 
flE] introduced the first CCA2-secure variant of the NTRU [9] in the standard model with a provable security from worst-case 
problems in ideal lattices. They construct a CCA-secure scheme using the lossy trapdoor function, which they generalize it to 
the case of (fc — l)-of-A;-correlated input distributions. 

-CCA-secure cryptosystem based on IBE. More constructions of IND-CCA2 secure lattice-based encryption schemes can be 
obtained by using the lattice-based selective-ID secure identity-based encryption (IBE) schemes of HI, S, HJ, Q, llT4ll . 
lfT6 l, |19| within the generic constructions of [5J, [6], and a SU-OT-SS or commitment scheme. 

All the above schemes use generic transformations from CPA to CCA2 security in the standard model, e.g., Dolev et al. 
approach jS), Canetti et al. paradigm (|6l or Boneh et al. approach |5|. They typically involve either a SU-OT-SS or a MAC 
and commitment schemes to make the ciphertext authentic and non-malleable. So, the resulting encryption scheme requires 
separate encryption and thus, it is not sufficiently efficient to be used in practice and inappropriate for many applications such 
as small ubiquitous computing devices with limited resources such as smart cards, active RFID tags, wireless sensor networks 
and other embedded devices. 

Till date, there is no generic direct transformation from any lattice-based one-way trapdoor cryptosystem (i.e., worst-case 
hardness problem in lattice) to a CCA2-secure one. In this work, for the first time, we show how to construct a CCA2-secure 
cryptosystem directly based on the worst-case hardness problems in lattice, resolving a problem that has remained open till 
date. 

B. Our contributions 

Our approach has several main benefits: 

• It introduce a new generic asymmetric padding-based scheme. The main novelty is that our approach can be applied to 
any conjectured (post-quantum) one-way trapdoor cryptosystem. 

• Our approach yields the first known direct CCA2-secure PKE scheme from worst-case hardness problems in lattice. 

• The proposed approach is a "black-box" construction, which making it more efficient and technically simpler than those 
previously proposed. The publick/secret keys are as in the original scheme and the encryption/decryption complexity are 
comparable to the original scheme. 

• This novel approach leads to the elimination of using generic transformations from CPA-secure schemes to a CCA2-secure 
one. 

• Our CCA2-security proof is tightly based on the assumption that the underlying primitive is a trapdoor one-way function. 
So, the scheme's consistency check can be directly implemented by the simulator without having access to some external 
gap-oracle as in previous schemes [JJ, [2], [3J, [7], 1101 , 111] , [12j , [141 , 1, 16]| . ifTSl . ||19J . Thus, our proof technique is 
fundamentally different from all known approaches to obtain CCA2-security in the lattice-based cryptosystems. 

• Additionally, this scheme can be used for encryption of arbitrary -length long messages without employing the hybrid 
encryption method and symmetric encryption. 

Organization. The rest of this manuscript is organized as follows: In the following section, we briefly explain some notations 
and definitions. Then, in Section 3, we introduce our proposed scheme. Security and performance analysis of the proposed 
scheme will be discussed in Section 4. 

II. Preliminary 

A. Notation 

We will use standard notation. If a; is a string, then \x\ denotes its length. If fc € N, then {0, 1}'^ denote the set of A;-bit 
strings, denote a string of k ones and {0, 1}* denote the set of bit strings of finite length, y ^ x denotes the assignment 
to y of the value x. For a set S, s <— S denote the assignment to s of a uniformly random element of S. For a deterministic 
algorithm A, we write x i~ AP{yi z) to mean that x is assigned the output of running A on inputs y and z, with access to 
oracle O. We denote by Pi-[E] the probability that the event E occurs. If a and b are two strings of bits, we denote by a\\b 
their concatenation. The bit-length of a denoted by Len(a), Lsba;j(a) means the right xi bits of a and Msba:2(a) means the 
left X2 bits of a. 
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B. Definitions 

Definition 1 (Public-key encryption scheme). A public-key encryption scheme (PKE) is a triple of probabilistic polynomial 
time {PPT) algorithms (Gen, Enc, Dec) such that: 

• Gen is a probabilistic polynomial-time key generation algorithm which takes a security parameter 1" as input and outputs 
a public key pk and a secret-key sk. We write {pk, sk) <r- Gen(l"). The public key specifies the message space M. and 
the ciphertext space C. 

• Enc is a (possibly) probabilistic polynomial-time encryption algorithm which takes as input a public key pk, a m, <E A4 
and random coins r, and outputs a ciphertext C € C. We write Enc{pk, m; r) to indicate explicitly that the random coins 
r is used and Enc(pfc, m) if fresh random coins are used. 

• Dec is a deterministic polynomial-time decryption algorithm which takes as input a secret-key sk and a ciphertext C & C, 
and outputs either a message m & M. or an error symbol _L. We write m <— Dec(C, sk). 

• (Completeness) For any pair of public and secret-keys generated by Gen and any message m G M it holds that 
Dec(.sfc, Enc(pk,m;r)) = m with overwhelming probability over the randomness used by Gen and the random coins r 
used by Enc. 

Definition 2 (Padding sclieme). Let v, p, k be three integers such that v -\- p < k. A padding scheme 11 consists of two 
mappings ir : {0, 1}" x {0, 1}'' {0, 1}*' and n : {0, 1}*^ {0, 1}" x {0, 1}''U {_L} such that tt is injective and the following 
consistency requirement is fulfilled: 

Vm e {0, ly, r e {0, 1}'' : 7r(7r(m, r)) = m. 

Definition 3 (CCA2-security). A public-key encryption scheme PKE is secure against adaptive chosen-ciphertext attacks (i.e. 
IND-CCA2) if the advantage of any two-stage PPT adversary A = (Ai, A2) in the following experiment is negligible in the 
security parameter k: 

Exp|.'i^|,^(fc).- 

{pk,sk) Gen(l'') 

(mo, mi, state) Ai^'^^^^''^ (pk) s.t. |mo| = |mi| 

6 ^{0,1} 

C* <— Enc(pk, nih) 

6'^^Dec(.fe,.)(^*^state) 

ifb = b return 1, else return 0. 

The attacker may query a decryption oracle with a ciphertext C at any point during its execution, with the exception that 

A2 is not allowed to query Dec(sfc, .) with C* . The decryption oracle returns b (C*, state). The attacker wins 

the game if b = b' and the probability of this event is defined as Pr[Expp'^g (^)]- define the advantage of A in the 
experiment as 

1 



. , IND-CCA2 /, \ 
AdVpKE,^ (k) 



Pr[Exp^'^^^,^(fc) = l] 2 



III. The proposed cryptosystem 

In this section, we introduced our proposed CCA2-secure encryption scheme. Our scheme is a precoding-based algorithm 
which can transform any one-way trapdoor cryptosystem to a CCA2-secure one in the standard model. Precoding includes a 
permutation and pad some random obscure-data to the message bits. 



A. The proposed idea 

Let we can decide to encrypt message m e {0, 1}". At first, we perform a random encoding to the message bits. To do this, 
we uniformly choose r = (n, . . . , rk) &r {0, 1}*' with fc ^ n at random, and, suppose wt(r) = /i be the its Hamming weigh. 
If n/ his an integer, then we can divide m into h blocks. Otherwise, in order to divide m into h blocks, we must pad a random 
binary string (RBS) with length h . \n/h] — n to the right of m. In each cases, we can divide m into h blocks rfi||d2|| . . . \\dh 
with equal binary length v = \n/h] where dh = ^sh^n-(h-i) .in/h]) (m)||RBS. Therefore, if h \ n, then RBS = (p (the 
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empty set) and dh = Lsb(„_(-/j_i) pn/^-j) (to), else, RBS is a random block with binary length h. [ri//i] — n and we have 

dh = Lsb(„_(,j_i) .|-„/,j]) (to) II RBS. 

Now, we perform a random permutation and pad some random obscure blocks (ROBs) with equal binary length s into the 
message blocks di, 1 < i < h using padding scheme n : {0, 1} x {0, 1}*' — > {0, 1}" x {0, 1}'*, which can be defined as 
follows: 

, f '^E}.,-. '^i n = l 

7r(ri, di) = d^ = < , I <i < k. 

[ ROB if r,; = 

Notice that in order to prevent excessive increase in the message length, we can choose s small enough. The message to = 
(d^ IM2 II ■ • ■ IMfc) is called encoded message. We summarize encoding process in algorithm 1. 

Algorithm 3.1: Random Encoding Algorithm. 

Input: TO = (toi, . . . , TO„), r G/j {0, 1}''' with n ^ k . 
Output: Encoded message to' = (d';^||(i2l| • . • IM^.). 
SETUP: 

1) h ^ wt(r). 

2) If h \ n then v <— n/h; 

else V <— \n/h'] and choose a RBS with binary length h ■ \n,/h'] — n, and 

TO <r- (toi, . . . , TO„ II R B S ). 

h- [n/hl — n 

3) Divide to into /i blocks ((ii||(i2|| • ■ • \\dh) with equal \-en{di) — v, 1 < i < h. 
PERMUTATION AND PADDING: 

1) Uniformly choose integer s at random. 

2) For i = 1 to fc do; 

if ri — 1 then d, -(r- dv-i „ . , 

else ROB with binary length s. 

Return to = ('^ilM2ll ■ • ■ IMfe)- 

We illustrate algorithm (IIII-Ab with small example. Suppose to — (toi, . . . , mun) and r = (0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0). 
SETUP: 

We have |to| = n = 1117, fc = 18 and h = X^iLi '^i — H- Since 11 \ 1117 so we must pad a RBS with 
binary length h. — n = 5 to the right of to. If we uniformly chose 1,0,1,1,0 at random, we have to = 

(toi, . . . , TO1117, 1,0,1,1,0). Since h = 11, the algorithm divides to into 11 blocks with equal length v — \n/h'] = 102. 

h . [n/h'] — n 

We have to = (toi, . . . , TO102 || toiqs, ■ ■ ■ , ^204 || • • • || ^1020, ■ • • , "imy, 1, 0, 1, 1, 0), where Lsb(„_(„_i).r„/;,D (to) = 

Lsb 97 (to) = TO1020, • ■ • , TO1117- 

PERMUTATION AND PADDING: 

Firstly, we choose random integer s, say s = 4. We have 

ri = 0, thus R0B#1 = (0, 1, 1, 0), where (0, 1, 1, 0) is randomly chosen by algorithm 3.1. 

r2 = 1, thus d2 <— dj2^ ^ ^, ~ di. 

rs = 0, thus 4 ^ R0B#2 = (1, 0, 1, 0), where (1, 0, 1, 0) is randomly chosen by algorithm 3.1. 
ri7 = 1, thus dij ^ dj2^7 ^ ^. = dn. 

ri8 = 0, thus d'lg ^ ROB#(fc - /i) = 7 = (0, 0, 1, 0), where (0, 0, 1, 0) is randomly chosen by algorithm 3.1. 
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I — h ROB blocks with equal length s = 4 are combined with the message blocks di, 1 < i < h, 
to produce the encoded message m — {d^\\d2\\ ■ ■ -Wdf.). In the final, the algorithm outputs to as m — 

(0, 1, 1, II mi, ... , mio2 II 1, 0, 1, II . . . || mio2o, ■ • ■ , mim, 1, 0, 1, 1, || || 0, 0, L 0). 




"17 "IS 

As we see, the length and the position of the message blocks di are correlated to the number and the position of the random 
bits Ti ~ 1 respectively, and completely random. 



B. The proposed scheme 

Now, we are ready to define our proposed encryption scheme. Given a secure lattice-based encryption scheme Ilibe = 
(Genibo, Encibc, DeQbo), we construct a IND-CCA2 secure encryption scheme ncca2 = (Gencca2, EnCcca2, DeCcca2) as follows. 
This scheme can be used for encryption of arbitrary -length long messages. System parameters, n, fc £ N, where n ^ k. 
Key generation. Let Genibc be the Lattice-based key generator On security parameter l'^, the generator Gencca2 runs Genibo(l'^) 
to obtain 

sk — sfcibo and pk — pfcibo- 

Encryption. To encrypt message to G {0, 1}" with n k, EnCcca2{pk,m) works as follows. 

• Uniformly chooses r G/j {0, l}*^' at random and computes its Hamming weight wt(7') = h. 

• Randomly chooses small integer s and executes algorithm (IIII-AI ) for generate encoded message to 
from message to. 

• Suppose y be the corresponding decimal value of m . Computes 



= {d'M\\...\\4) 



Ci = y ■ h, C2 = Encibo(pfc, r) 

and outputs the ciphertext C — (Ci, C2). 

To handle CCA2-security and non-malleability related issues, we strictly correlate the message bits m^, 1 < i < n to the 
randomness r via encoding process. The value of y also correlates to the random binary string r via its Hamming weight 
h = wt(r). So, the CCA2 adversary for extract the message blocks di from Ci must first recover exactly the same random binary 
string r from lattice-based cryptosystem which is impossible, if the underlying lattice-based one-way trapdoor cryptosystem 
be secure. 

Decryption. DeCcca2(sfc, C*) for extract message to performs the following steps. 

• Computes random binary vector r as r = Decibe(C2, sfc) and h — X^iLi ''i- 

• Computes y = Ci/h. 

• Checks whether 

Len{y)^h-\n/h] (1) 

holds, and rejects if not (consistency check). If ([T]l hold, computes v = {n/li] and binary coded decimal (BCD) m' of y. 

• Computes s = (| m' | — hv) /{k~h) and rejects the ciphertext if s is not an integers (verify whether the padding information 
is correct or not). 

• The lengths and position of the message/ROB blocks are explicit, therefore, DeCcca2 simply can separate ROB blocks 
from encoded message m' and extract message blocks di, 1 < i < h with the following algorithm. 

Algorithm 3.2: Message Extractor. 

Input: r ~ (ri, . . . , r^), integers h, v, s and encoded message m'. 
Output: Retrieved message m = ((ii||(i2|| • • • |M/t) 

1) For i = 1 to fc do 

If ri = 0, then to' ^ Lsb(|„j/|_s) (to'), 

else dj^i rj ^ Msbt,(m') and to' <— Lsb(-|„j/|_„)(m'); 

2) TO ^ (c^i|M2|| • ■ • IMj^'^-i rj)^ where X^Li ^■ 

3) \f h \ n, then m <— Msb„(TO) (remove right {h.ln/li] — n) bits of m). 



Return "to". 
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IV. Security and performance analysis 

A. Security analysis 

In this subsection, we proof the CCA2-security of the proposed cryptosystem which is built using the pre-coding approach 
with a secure lattice-based encryption scheme. 

Theorem 1. .■ Let Ilibc = (Genibc, Encibc, Decibo) be a secure lattice-based encryption scheme, then the proposed scheme is 
CCA2-secure in the standard model. 

In the proof of security, we exploit the fact that for a well-formed ciphertext, we can recover the message if we know the 
randomness r that was used to create the ciphertext. 

Proof: Suppose that C* = (C'j*,C2) be the challenge ciphertext. Let Si be the event that the adversary A wins in Game i. 
Here is the sequence of games. 

Game 0. We define Game which is an interactive computation between an adversary A and a simulator. This game is usual 
CCA2 game used to define CCA2-security, in which the simulator provides the adversary's environment. 
Initially, the simulator runs the key generation algorithm and gives the public-key to the adversary. The adversary submits 
two messages mo,TOi with |mo| = |mi| to the simulator The simulator chooses b G {0,1} at random, and encrypts mb, 
obtaining the challenge ciphertext C* = (CJ',C2). The simulator gives C* to the adversary. We denote by r*, h* = wt(r*), 
V* — \n/h*~\, s* and y* — DV(m'*) where 

m'* = Er\code{mt,,r* , s*) (2) 

the corresponding intermediate quantities computed by the encryption algorithm, where DV means the decimal value. The only 
restriction on the adversary's requests is that after it makes a challenge request, the subsequent decryption requests must not 
be the same as the challenge ciphertext. At the end of the game, the adversary A outputs b G {0, 1}. Let 5*0 be the event that 
b = b. Since Game is identical to the CCA2 game we have that 



Adv--(A:) 



and, our goal is to prove that this quantity is negligible. 



Game 1. Define Game 1 as identical with Game 0, except that h — h*. 
Lemma 1. There exists an efficient adversary Ai such that: 

|Pr[5i]-Pr[5o]| < Advl^%^(fc). (3) 

By the assumption that the lattice-based encryption scheme is secure, we have that Adv^^^^ (k) is negligible. 

Proof: Let negl(fc) = |Pr[S'i] — Pr[5o]|. We can easily build an adversary Ai who hopes to recover irib from Game 1. In this 
game, the adversary Ai queries on input(Ci, C2) ^ (CJ', C2), while h = h*. The simulator takes as input (Ci,C2), h = h* 
and computes r = Decibo(C'2i •) 7^ i^*, U — Ci/h* ^ y* and so to / to'*. If |m | is not equal to obvious value h* ■ \n/h*^, 
then the simulator rejects the ciphertext in ([T}. Since m' 7^ m'*, thus s = (|to'| — h* ■ v)/{k — h*) ^ s* and the simulator 
rejects the ciphertext if s is not an integers. Furthermore, since the position of the message/ROB blocks (r 7^ r*) and the 
ROB blocks length s are not explicit, so, the output of algorithm (IIII-Bl i) is not identical to mt. Therefore, if the lattice-based 
encryption scheme is secure (i.e., the adversary cannot recover r* from it), then the ^I's advantage of this game is exactly 
equal to negl(fc). By definition of Advn°^j(fc), we have negl(fc) < Advn,"^^ (fc). 

Remark 1. Notice that if one of the message extractor algorithm MII-B^ inputs (i.e., r*,v*,s* and m'*) is not a legitimate 
input, then the output of its is not identical to nib. 

Remark 2. Notice that in order to query from the simulator, the CCA2 adversary cannot modified C2 based on the challenge 
ciphertext C2 (well-formed decryption queries). Since for correctly retrieve nib, the simulator must know the exact value of 
randomness r* . So, if the lattice-based encryption scheme is secure, then the advantage of the CCA2 adversary is negligible. 

Game 2. Define Game 2 as identical with Game 1, except that Ci — CI. 
Lemma 2. There exists an efficient adversary A2 such that: 

\Vr[S2]-Vr[S^]\<MY'^';^^{k) (4) 
By the assumption that the lattice-based encryption scheme is secure, we have that Adv5°(fc) is negligible. 
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Proof: Let negl(fc) — |Pr[S'2] — Pr[S'o]|. Consider the adversary A2 who aims to recover m;, from this game. In this game, the 
adversary A2 uniformly chooses C2 ^ at random and queries on input C — (CJ", C2), h — h*. In this case, the decryption 
simulator computes r — Decibc(C'2, •) 7^ r*. It also computes y — Ci/h — y*, v = v*, s — s*. Although the message/ROB 
blocks length and the encoded message m' are explicit, but since the position of the message/ROB blocks are not explicit, 
r 7^ r*, thus the outputs of algorithm (IIII-BI )) is not identical to mi,. So, if the lattice-based encryption scheme is secure, then 
the .42's advantage of this game is equal to negl(fc). By definition of Ad\/^^j^^{k), we have negl(fc) < Advn'^,^^ (fc). 

Game 3. Define Game 3 as identical with Game 0, except that C2 = Cj. 
Lemma 3. There exists an efficient adversary A3 such that 

|Pr[53]-Pr[5o]| < Advn,>t3(fc)- (5) 

Proof: Suppose negl(fc) — |Pr[S'3] — Pr[S'o]|. We can easily build an adversary A3 who wishes to recover rrif, from Game 3. In 
this game, the adversary ^3 uniformly chooses Ci ^ CJ" at random and queries on input (Ci, C2 ). In this case, the simulator 
computes r — Decibo(C'2, •) = r*, h = h*, y — Ci/h* ^ y* and so rn' ^ to'*. If Len(y) = |m'| is not equal to obvious value 
h* ■ then the simulator rejects the ciphertext in ([T). Since m! ^ to'*, thus s = (|m'| -h* ■v)/{k — h*) ^ s*, and the 

simulator rejects the ciphertext if s is not an integers. Furthermore, since the ROB blocks length s and the encoded message 
to' are not explicit, thus the outputs of algorithm (IIII-Bl i) is not identical to mi, and so, the ^3's advantage of this game is 
negligible. By definition of Advn,^3(fc), we have negl(fc) < Advn,^3(fc). 

Lemma 4. We claim that 

|Pr[53]| = 1/2. (6) 

Proof: Game 3 same as Game 0, except that the component Ci of the queried ciphertext C — (Ci , C2 ) is not computed by 
equation dU but rather chosen uniformly at random. So, the queried ciphertext C is statistically independent from the challenge 
bit b. Thus, the ^3's advantage in Game 3 is obviously 0, and 

\P^[S3]\ = \ 

Completing the Proof: 
We can write 

Pr[^o] 1= I Pr[^o] + Pr[^o] - Pr[5'o] + Pr[5i] - Vv[Si] + Vt[S2] - Pr[52] + 
Pr[53] -Pr[53]| 

So we have 

|Pr[5o]| < |Pr[53]| + \Pv[S3] - Vr[So]\ + |Pr[52] - Pr[5i]| + |Pr[5i] - Vv[So]\ + 
|Pr[52]-Pr[5o]| 

We have 

|Pr[^2] - Pr[^o]| < |Pr[^2] - Pr[5i]| + |Pr[^i] - Pr[5o]| (7) 
From equations (1314151617b we have: 

|Pr[5o] - 1/2| < Advn, a, (k) + 2Ady'^^_^^ (k) + 2Adv'^^_^^ (k) 
By assumption, the right-hand side of the above equation is negligible, which finishes the proof. 

B. Performance analysis 

The performance-related issues can be discussed with respect to the computational complexity of key generation, key sizes, 
encryption and decryption speed, and information rate. The proposed cryptosystem features fast encryption and decryption. The 
time for computing encoded message is negligible compared to the time for computing (Encibc, Decibo)- Encryption roughly 
needs one application of Encibo together a multiplication, and decryption roughly needs one application of Decibc together a 
division. The public/secret keys are as in the original scheme. The length of the ciphertext is equal to n + (fc — h)s + k. The 
information rate (i.e., the ratio of the binary length of plaintext to that of the ciphertext) is equal to n/{n + (fc — h)s + k), 
and for n ^ k and small integer s, it is close to one. Compared to other CCA2-secure lattice-based schemes were introduced 
today, our scheme is very simple and more efficient. 
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V. Conclusion 

We construct the first direct CCA2-secure variant of the lattice-based PKE scheme, in a black-box manner, with a provable 
security from worst-case hardness problems in (ideal) lattices. This novel approach is very simple and more efficient and 
leads to the elimination of using SU-OT-SSs or MACs for transformations CPA-secure schemes to a CCA2-secure one. We 
showed that this scheme has extra advantages, namely, its IND-CCA security remains tightly related (in the standard model) 
to the worst-case hardness problems in lattice. Additionally, this scheme can be used for encryption of long messages without 
employing the hybrid encryption method and symmetric encryption. 
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